Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2001.341 -- Debian Security Advisory DSA-074-1 buffer overflow in Window Maker 14 August 2001 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: wmaker Vendor: Debian Operating System: Debian GNU/Linux 2.2 Platform: Alpha ARM i386 Motorola 680x0 PowerPC Sparc Impact: Execute Arbitrary Code/Commands Access Required: Remote - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- - - ------------------------------------------------------------------------ Debian Security Advisory DSA-074-1 security@debian.org http://www.debian.org/security/ Wichert Akkerman August 12, 2001 - - ------------------------------------------------------------------------ Package : wmaker Problem type : buffer overflow Debian-specific: no Alban Hertroys found a buffer overflow in Window Maker (a popular window manager for X). The code that handles titles in the window list menu did not check the length of the title when copying it to a buffer. Since applications will set the title using untrusted data (for example web browsers will set the title of their window to the title of the web-page being shown) this could be exploited remotely. This has been fixed in version 0.61.1-4.1 of the Debian package, and upstream version 0.65.1. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. Debian GNU/Linux 2.2 alias potato - - --------------------------------- Potato was released for alpha, arm, i386, m68k, powerpc and sparc. Source archives: http://security.debian.org/dists/stable/updates/main/source/wmaker_0.61.1-4.1.diff.gz MD5 checksum: 3038244891749b522ffafdd5a47c7f49 http://security.debian.org/dists/stable/updates/main/source/wmaker_0.61.1-4.1.dsc MD5 checksum: 3c0779b1145facb7b747cc1229763f88 http://security.debian.org/dists/stable/updates/main/source/wmaker_0.61.1.orig.tar.gz MD5 checksum: ed92ef5b52dbde235e6b9fcf1ff2a29a Alpha architecture: http://security.debian.org/dists/stable/updates/main/binary-alpha/libdockapp-dev_0.61.1-4.1_alpha.deb MD5 checksum: bc9933a05f8cdb4b56c0333218445895 http://security.debian.org/dists/stable/updates/main/binary-alpha/libwings-dev_0.61.1-4.1_alpha.deb MD5 checksum: e17eeb375f21fd4328ee936c39d717eb http://security.debian.org/dists/stable/updates/main/binary-alpha/libwmaker0-dev_0.61.1-4.1_alpha.deb MD5 checksum: 3c0f585d2b91c3f8c53ca13a54f4c2aa http://security.debian.org/dists/stable/updates/main/binary-alpha/libwraster1-dev_0.61.1-4.1_alpha.deb MD5 checksum: a642754abddce4c6783c412c1dcdeead http://security.debian.org/dists/stable/updates/main/binary-alpha/libwraster1_0.61.1-4.1_alpha.deb MD5 checksum: 9b49e0e76a89364fb38ed39d8f92a35f http://security.debian.org/dists/stable/updates/main/binary-alpha/wmaker_0.61.1-4.1_alpha.deb MD5 checksum: 32d409ca1f97ffcfd5f0149ac582f286 ARM architecture: http://security.debian.org/dists/stable/updates/main/binary-arm/libdockapp-dev_0.61.1-4.1_arm.deb MD5 checksum: f58911ef570c42a457328e6f3a454dab http://security.debian.org/dists/stable/updates/main/binary-arm/libwings-dev_0.61.1-4.1_arm.deb MD5 checksum: aee517ccfdc8a7a82acfd6afb8f49be7 http://security.debian.org/dists/stable/updates/main/binary-arm/libwmaker0-dev_0.61.1-4.1_arm.deb MD5 checksum: 68d9d6b1bf5431ecf76786dffae9271c http://security.debian.org/dists/stable/updates/main/binary-arm/libwraster1-dev_0.61.1-4.1_arm.deb MD5 checksum: fc1b5ad7299c420410a3a5c7dc709df9 http://security.debian.org/dists/stable/updates/main/binary-arm/libwraster1_0.61.1-4.1_arm.deb MD5 checksum: be6e2bdf5668f4c6f1bd6576a7343d3e http://security.debian.org/dists/stable/updates/main/binary-arm/wmaker_0.61.1-4.1_arm.deb MD5 checksum: a5eb7a8ad9ec708e97758564e328bcc2 Intel IA-32 architecture: http://security.debian.org/dists/stable/updates/main/binary-i386/libdockapp-dev_0.61.1-4.1_i386.deb MD5 checksum: c0a2fd1c43ad010b7e44a2d9b304080a http://security.debian.org/dists/stable/updates/main/binary-i386/libwings-dev_0.61.1-4.1_i386.deb MD5 checksum: 57cc734cee2211a96b9a611844b2222f http://security.debian.org/dists/stable/updates/main/binary-i386/libwmaker0-dev_0.61.1-4.1_i386.deb MD5 checksum: 8b206c90890d7cdeee4f3f793fb0ca9a http://security.debian.org/dists/stable/updates/main/binary-i386/libwraster1-dev_0.61.1-4.1_i386.deb MD5 checksum: ad998176696e919af113c59a959f301b http://security.debian.org/dists/stable/updates/main/binary-i386/libwraster1_0.61.1-4.1_i386.deb MD5 checksum: 4736cd5c428c72325f1896a62e14d8c2 http://security.debian.org/dists/stable/updates/main/binary-i386/wmaker_0.61.1-4.1_i386.deb MD5 checksum: b1a4d4c2489582e5dce8ab62f76ba343 Motorola 680x0 architecture: http://security.debian.org/dists/stable/updates/main/binary-m68k/libdockapp-dev_0.61.1-4.1_m68k.deb MD5 checksum: c5b8847e5714564543bd0a8f1bc48194 http://security.debian.org/dists/stable/updates/main/binary-m68k/libwings-dev_0.61.1-4.1_m68k.deb MD5 checksum: 29de728ae7a3f74d24a76c2e66eefaf6 http://security.debian.org/dists/stable/updates/main/binary-m68k/libwmaker0-dev_0.61.1-4.1_m68k.deb MD5 checksum: 14b33fe41884d688783bef6eab8fd6f7 http://security.debian.org/dists/stable/updates/main/binary-m68k/libwraster1-dev_0.61.1-4.1_m68k.deb MD5 checksum: 543bd9e9650fddbb3f4dcc9a1c77574f http://security.debian.org/dists/stable/updates/main/binary-m68k/libwraster1_0.61.1-4.1_m68k.deb MD5 checksum: 7b5ab0a6589686f401889facd1652384 http://security.debian.org/dists/stable/updates/main/binary-m68k/wmaker_0.61.1-4.1_m68k.deb MD5 checksum: 96f089aeb1ff5f68f6f6351ab56e1a22 PowerPC architecture: http://security.debian.org/dists/stable/updates/main/binary-powerpc/libdockapp-dev_0.61.1-4.1_powerpc.deb MD5 checksum: e5eb8f54476b6f7825b674f59c5178d6 http://security.debian.org/dists/stable/updates/main/binary-powerpc/libwings-dev_0.61.1-4.1_powerpc.deb MD5 checksum: b1d9301b8d940c56db3b109dbf90a919 http://security.debian.org/dists/stable/updates/main/binary-powerpc/libwmaker0-dev_0.61.1-4.1_powerpc.deb MD5 checksum: e838fc1523aded3b3579178aac1ac371 http://security.debian.org/dists/stable/updates/main/binary-powerpc/libwraster1-dev_0.61.1-4.1_powerpc.deb MD5 checksum: 40439c0a37869a3af76cfe0ff67749cf http://security.debian.org/dists/stable/updates/main/binary-powerpc/libwraster1_0.61.1-4.1_powerpc.deb MD5 checksum: 35e8e93bc4e2ccacfee57e9d34109365 http://security.debian.org/dists/stable/updates/main/binary-powerpc/wmaker_0.61.1-4.1_powerpc.deb MD5 checksum: 5b897aa65e02da99a9fadab007b72b79 Sun Sparc architecture: http://security.debian.org/dists/stable/updates/main/binary-sparc/libdockapp-dev_0.61.1-4.1_sparc.deb MD5 checksum: 67327e4837e615ecc11aaf299cd021d7 http://security.debian.org/dists/stable/updates/main/binary-sparc/libwings-dev_0.61.1-4.1_sparc.deb MD5 checksum: 6cb2dd71640f8dc7504aacd7d6aed008 http://security.debian.org/dists/stable/updates/main/binary-sparc/libwmaker0-dev_0.61.1-4.1_sparc.deb MD5 checksum: 02b5ddb9dbb345a2e51894a6b536b342 http://security.debian.org/dists/stable/updates/main/binary-sparc/libwraster1-dev_0.61.1-4.1_sparc.deb MD5 checksum: f6dade2112ad2ed0e309db43718e65de http://security.debian.org/dists/stable/updates/main/binary-sparc/libwraster1_0.61.1-4.1_sparc.deb MD5 checksum: 45980b7e4ad1eb2d4fa2402180750328 http://security.debian.org/dists/stable/updates/main/binary-sparc/wmaker_0.61.1-4.1_sparc.deb MD5 checksum: 40493ced3e5343deecc560e6c3c633a4 These packages will be moved into the stable distribution on its next revision. For not yet released architectures please refer to the appropriate directory ftp://ftp.debian.org/debian/dists/sid/binary-$arch/ . - - -- - - ---------------------------------------------------------------------------- apt-get: deb http://security.debian.org/ stable/updates main dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQB1AwUBO3at6qjZR/ntlUftAQGFewMAtdrKeonOpOe2+z7bvOf18n6OFksj1uPV nNar80PjPi5j4qXqWzsryQ9Qt2bPZuWafRSCnGcTdR2lBYXYrw9p/JW7DxNsvysH UOeN0i+idX0k58C0C/w3+8FyPMuAtHIG =VyH1 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to use any or all of this information is the responsibility of each user or organisation, and should be done so in accordance with site policies and procedures. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the original authors to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/Information/advisories.html If you believe that your system has been compromised, contact AusCERT or your representative in FIRST (Forum of Incident Response and Security Teams). Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key iQCVAwUBO3kWiCh9+71yA2DNAQFbNQP7BnT3g3j6UJiFge1ebBP2DHAEzchystyP dGDbxqTB6rUWS7c5Xv1iQAl4wvXmsgRYpDb4Y1luXe9Bek2uLR6+j3B9pcBNXQR4 SRmUd+VOVL5ORBSmBbNWES7juM7eOEWpVGx4+Ah2GLk6XiA+O7FrTbGhMdQNyM/v RJYLTso/Ac4= =/cCH -----END PGP SIGNATURE-----